11

I used brakeman for generating scanning reports in my application. It generated many Cross Site Scripting security warnings with High Confidence in my reports/show page:

Unescaped model attribute near line 104: Report.find(params[:id]).remarks

I have seen in the link but couldn't fix. Please help. And this is the line in show page which I am facing error:

<%= @report.remarks.html_safe %>
Improve this question

1 Answer 1

Reset to default
11

Brakeman warns about any cases of potential user input being output without HTML escaping. Values from the database count as "potential user input".

If you are expecting remarks on reports to contain HTML that you wish the browser to interpret as HTML, then you must use html_safe and you are responsible for ensuring the HTML is safe - perhaps by calling sanitize or strip_tags. If you are not expecting remarks to contain HTML, then remove the call to html_safe.

The html_safe call essentially tells Rails "this string is safe, do not escape it." If that is what you intend, then you can ignore these warnings.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Did the trick, I wrote <%= sanitize @report.remarks.html_safe %>
I'm curious, why not just <%= @report.remarks %>? That would be safer and simpler.
Actually it is a maintenance project. The previous developer wrote a comment before this as To keep remarks field safer. So, without any modification I continued with html_safe :)

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.